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The Secure Cloud Configuration Imperative 


Research Objectives 


The composition of cloud-native applications is a mix of APIs, containers, VMs, and serverless functions continuously integrated 
and delivered. Securing these applications, the underlying infrastructure, and the automation platforms that orchestrate 

their deployment necessitates revisiting threat models, gaining organizational alignment, and leveraging purposeful controls. 
Additionally, as security and DevOps continue to converge, cloud security controls are being consolidated. Project teams are 
evolving from a siloed approach to a unified strategy to securing cloud-native applications and platforms. In parallel, vendors are 
consolidating cloud security posture management (CSPM), cloud workload protection (CWP), container security, and more into 
integrated cloud security suites, impacting buyer personas and vendor sales motions. 


In order to gain insight into these trends, ESG surveyed 383 IT and cybersecurity professionals at organizations in North America 
(US and Canada) personally responsible for evaluating or purchasing cloud security technology products and services. 





THIS STUDY SOUGHT TO: 


O „h 


Gauge the state of organizational convergence, tool 
consolidation, and the emergence of platforms. 


Assess the current and future composition and 
environments of cloud-native apps and infrastructure. 






Vet the go-forward strategy with respect to top 
priorities, soending intentions, and approaches for 
securing cloud-native environments. 


Explore the problem space with respect to 
operational challenges and the threat landscape. 
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The Secure Cloud Configuration Imperative 


THE CLOUD 
FOOTPRINT 


The use of cloud services is 
increasingly strategic and 
heterogeneous. 
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THE CLOUD 
ATTACK SURFACE 


Misconfigured services and a 
visibility gap have expanded 
the attack surface. 


RESEARCH HIGHLIGHTS 


CLICK TO FOLLOW 


CONSEQUENCES OF 
MISCONFIGURATIONS 


Misconfigurations lead to 
compromised data and the 
introduction of malware. 





SPOTLIGHT: 
SHIFTING CSPM LEFT 


Secure DevOps measures 
include automating scanning 
infrastructure-as-code (laC) 
templates. 


Hi 
titti 
O titit 


ESSENTIAL 
INVESTMENTS 


Increased spending on 
cloud security controls is 
planned, with a preference 
for integrated platforms. 
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The use of cloud services is increa snay. 
strategic and heterogeneous. ~ «4 
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Production workloads are shifting 
to multiple public clouds 


The deployment of production server workloads across 
hybrid multi-clouds is introducing additional complexity, 
further challenging the ability to realize cybersecurity 
objectives. Securing such disparate environments has led to 
a lack of consistent policies, exposing enterprises to greater 
risk of data loss and cyber-attacks. 





Securing such disparate environments 


JJ 


has led to a lack of consistent policies... 


Production server workloads in the cloud. 


MH Percent of production workloads run on public cloud 
infrastructure services today (N=369) 


MB Percent of production workloads run on public cloud 


infrastructure services 24 months from now (N=383) 





41% to 50% More than 50% 
of workloads of workloads 


The average laaS user 





The Secure Cloud Configuration Imperative 


Data, most of which is sensitive, 
is also shifting to public cloud 


ÂA Where does that sensitive data live? 


The expanding adoption of public cloud services is resulting in a notable projected increase in 
cloud-resident data. The use of public clouds for business-critical purposes is highlighted by the 
amount of cloud-resident data considered sensitive.’ Where does that sensitive data live? Across 
both SaaS applications and laaS/PaaS plattorms. 


| Percent of cloud-resident data that is sensitive. 


i Proportion of SaaS-resident data that is sensitive today (N=298) 


Proportion of laaS/PaaS-resident data that is sensitive today (N=301) 


Percent of data residing in the cloud. 


Currently 


E Expected 24 months 
from now 





51% to 75% More than 75% 
of data of data | would catagorize | would catagorize 
all of this data the majority of this 
= = as sensitive data as sensitive 
ESTIMATED MEAN = 40% ESTIMATED MEAN = 57% 
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The Cloud Attack Surface 


Misconfigured services and a visibility 
gap have expanded the attack surface 
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The cloud attack surface trifecta: visibility, access, and configurations 


The abstract nature of public cloud plattorms has created a need for greater visibility into the configuration of cloud services. 
An increase in the phishing of cloud credentials has led project teams to require a trail of the use of both privileged user and 
service accounts to detect potential account takeover (ATO) attacks. Improving visibility also entails vetting the configuration of 
server workloads against industry benchmarks and identifying the location of secrets such as API keys. 


r 4 0 Most important approaches to improving security visibility for cloud-native apps. 


of cyþbe accum ty An audit trail of privileged user and service account activity 


p Oese IONA Is De | EVE Identifying workload configurations that are out of compliance, including those 
th © a C k of access CO th eC that do not adhere to industry best practices and regulatory frameworks 


physical network and the Location and disposition of secrets 
dynamic nature of cloud- 
native applications and 
elastic infrastructure A a acuity 
create visibility blind 
spots, making security 
monitoring challenging. 


Identifying software vulnerabilities 


The configuration of security groups 


The permissions associated with service accounts 
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Access-related issues headline a series of misconfigured cloud services 


Externally facing workloads subject to port scanning and open ports join a set of permission and access control-related issues. The prevalence of misconfigured cloud services, including 
insecure management consoles, serves as a call to action to treat cloud configuration management as a strategic imperative. 


Ten most common cloud misconfigurations in the past 12 months. 


WWW 





2 


S & 


30% 27% 25% 25% 23% 





Default or no password Externally facing server Overly permissive Overly permissive Externally facing web servers not 
for access to management workloads service accounts user accounts protected with a web application 
consoles firewall and/or load balancer 


D T ili f 
22% 22% 22% 19% 19% 


Virtual machines and/or Lack of multi-factor authentication Misconfigured security group Disabled logging leading to the Open management 
containers running as root for access to cloud and/or permitting traffic to/from lack of audit trails of account, ports 
Kubernetes management restricted IP addresses user, and system activity 
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The Consequences 
of Misconfigurations 
Misconfigurations lead to 


compromised data and the 
introduction of malware. 
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The Secure 


Misconfigured cloud 
services are often exploited 
by cyber-adversaries 


Data compromises, failure to meet SLAs, 
and the introduction of malware highlight 
the need for greater attention to secure 
cloud configurations via the use of cloud 
security posture management (CSPM) 
controls. Malware that moves laterally, 
including crypto miners, is the top attack 
type against cloud-native environments. 
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Malware that moved laterally was the most common cloud-native 
Ss) Security incident experienced in the last 12 months. 





Results of cloud misconfigurations. 


Unauthorized access to applications and data 

Remediation steps impacted service level agreements (SLAs) 

The introduction of malware 

The introduction of crypto-jacking malware to mine cryptocurrency 
The introduction of ransomware 

We were fined due to non-compliance with an industry regulation 


We lost data 
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Challenges scoping roles lead to overly permissive accounts 


The best practice of least privilege access (LPA) has been challenging to implement via the use of controls provided by 
cloud services providers.” The inability to do so leads to overly permissive user and services accounts, representing a highly 
vulnerable aspect of the cloud attack surface area. 


Roles and permissions for access to cloud services are difficult to manage with the native controls offered by the CSP. 
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The average organization 
estimates that 


30% 


of their human 

and non-human 
identities are 
over-permissioned 
across cloud 
services. 
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Spotlight: Shifting CSPM Left 


Secure DevOps measures include automating 
scanning infrastructure-as-code (laC) templates. 
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The need to scale via automation Is driving secure DevOps practices 


The speed at which cloud-native applications are delivered to production via continuous integration and continuous delivery 
(CI/CD) processes necessitates the inclusion of security controls. Fortunately, security measures are now being incorporated 
into DevOps processes as a means to keep pace at scale. 


RARR 
41% 


say automating the 


Integration of security processes and controls via DevOps processes. 


E We have incorporated security into our DevOps 
processes extensively 


introduction of controls 
and processes via 
| integration with the 
We plan to incorporate security into our 
DevOps processes software development 


We are evaluating security use cases that can lifecycle and CI/CD tools 
be incorporated into our DevOps processes R A top priority. 


m We have incorporated security into our DevOps 
processes in a limited fashion 


E We have not yet discussed how security fits 
with our DevOps processes 
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Automating cloud security 
posture management via 
DevSecOps 


Current and planned DevSecOps use cases 
span the cloud-native application lifecycle, 
including addressing misconfigured cloud 
services in production and pre-deployment 
by scanning infrastructure-as-code (laC) 
templates. As a result, more production 
cloud-native applications will be secured via 
DevSecOps practices over time. 
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Security practices automated via integration with DevOps. 


Currently automated via DevOps MB Plan to automate via DevOps in the next 12-24 months 


Identify misconfigured services via laC template scanning 
Scanning of production environments for misconfigurations 








Cloud-native applications secured via DevSecOps. 


Percent of cloud-native production applications 
secured via DevSecOps today 





ME Percent of cloud-native production applications 


secured via DevSecOps 24 months from now 51% to 75% More than 75% 


of apps of apps 
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Essential Investments 


Increased spending on cloud security 
controls is planned, with a preference — ~ 
for integrated platforms. 
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Cloud security posture 
management (CSPM) tops 
cloud security investments 


The internal development of cloud-native 
applications and increased usage of public 
cloud infrastructure is leading organizations to 
make essential investments. The top areas of 
incremental spending on cloud-native security 
focus on cloud security posture management 
and cloud workload security. This focus 
indicates a defense-in-depth approach that 
will require an integrated platform. 
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Expected cloud-native app security spending change over the next 12 months. 


©) 


Increase substantially 





© 


Increase slightly 


Top three cloud-native app security controls that will benefit from increased spending. 





a, 


Cloud security posture 
management 


& 


Cloud workload 
protection platforms 


Det 


Endpoint detection and response 
for cloud-resident workload 
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The preference for consolidated controls will be met by integrated platforms 


There is a strong preference to transition from silos of separate controls to an integrated cloud-native security platform. The 
shift to cloud-native application protection platforms (CNAPP) to meet this requirement is actively underway. 


Preferred security controls for protecting cloud-native applications and infrastructure. 


ME current approach E 24 months from now 


35% 






We prefer a consolidated set of controls based on an 
integrated platform with convergence across environments 
(i.e., public cloud vs. on-premise) and server workload types 
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53% 


plan to consolidate 
into an integrated 
platform within the 
next 12-24 months. 
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Trend Micro, a global leader in cybersecurity, helps make the world safe for 
exchanging digital intormation. Leveraging over 30 years of security expertise, 
global threat research, and innovation, Trend Micro enables resilience for 


customers by providing security solutions across the cloud and IT intrastructure. 


Optimized for the cloud and designed to simplify security via automation, Trend 
Micro Cloud One™ delivers world-class security in a single platform, helping you 
migrate to the cloud and innovate securely with compliance. 





FIND OUT YOUR SECURITY POSTURE 


ABOUT ESG 


Enterprise Strategy Group is an integrated technology analysis, research, and strategy firm 
providing market intelligence, actionable insight, and go-to-market content services to the 
global technology community. 
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Secu rity awS © Google Cloud 
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Workload Network Open Source Security 
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Trend Micro Cloud One™ 
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Research Methodology and Demographics 


To gather data for this report, ESG conducted a comprehensive online survey of IT and cybersecurity professionals from private- and public-sector organizations in North America 
(United States and Canada) between December 7, 2020 and December 26, 2020. To qualify for this survey, respondents were required to be IT and cybersecurity professionals 
personally responsible for evaluating or purchasing cloud security technology products and services. All respondents were provided an incentive to complete the survey in the form of 
cash awards and/or cash equivalents. 


After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on a number of criteria) for data integrity, we were left 
with a final total sample of 383 IT and cybersecurity professionals. 







RESPONDENTS BY NUMBER OF EMPLOYEES RESPONDENTS BY AGE OF COMPANY RESPONDENTS BY INDUSTRY 
More than 
‘ine eae 50 years, 5 years or Financial 
x a 10% less, 9% 
10,000to MOSS m Ms Manufacturing 
19,999, 8% 
T Retail/wholesale 
21 to 50 
years, 19% Technology 
5,000 to 6 to 10 
9,999, 17% years, 28% Healthcare 
Communications & media 
Business services 
1,000 to Government Æ% 
F 2,499, 24% 
2,500 to 4,999, 22% 11to20 Other 


years, 35% 
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Enterprise Strategy Group is an integrated technology analysis, research, and strategy firm providing market 
intelligence, actionable insight, and go-to-market content services to the global technology community. 
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